Not Validating the session may Leads to Account Deletion.

Aneesha D (ohzo)
2 min readDec 31, 2022

Session termination is an important part of the session lifecycle. Reducing to a minimum the lifetime of the session tokens decreases the likelihood of a successful session hijacking attack. This can be seen as a control against preventing other attacks like Cross Site Scripting and Cross Site Request Forgery. Such attacks have been known to rely on a user having an authenticated session present. Not having a secure session termination only increases the attack surface for any of the attacks, for example, account deletion without a password or bypassing the same.

A secure session termination requires at least the following components:

  • After updating the Password or Email.
  • Session termination after a given amount of time without activity (session timeout).
  • Proper invalidation of server-side session state.

Lets talk about the ulnerability I found,

Consider a site “” where users can signup and use the account, It also contains the dashboard where it has options like Update Email, Password, Delete Account etc.

I created an account using and logged in with two different browsers. Later, I updated the email on one of the browsers and checked on the other browser to invalidate…



Aneesha D (ohzo)

I am a Software Developer and a Security Researcher with a Bachelor of Engineering in CS.